kube-htpasswd is a tool to edit Kubernetes secrets that contains htpasswd files. Kubernetes secrets with htpasswd files are a common way of implementing basic-auth on nginx-ingress (https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/auth).
Usage:
kube-htpasswd [-cimBdpsDv] secretName username
kube-htpasswd -b[cmBdpsDv] secretName username password
kube-htpasswd -n[imBdps] secretName username
kube-htpasswd -nb[mBdps] secretName username password
kube-htpasswd -l secretName
Flags:
-b, --argued-password Use the password from the command line rather than prompting for it.
--as-uid string UID to impersonate for the operation.
-B, --bcrypt Force bcrypt encryption of the password (very secure).
--certificate-authority string Path to a cert file for the certificate authority
--client-certificate string Path to a client certificate file for TLS
--client-key string Path to a client key file for TLS
--cluster string The name of the kubeconfig cluster to use
-C, --context string The name of the kubeconfig context to use
-c, --create-secret Create a new secret.
-D, --delete Delete the specified user.
--disable-compression If true, opt-out of response compression for all requests to the server
-n, --dry-run Don't update secret; display results on stdout.
-h, --help help for kube-htpasswd
--insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
--kubeconfig string Path to the kubeconfig file to use for CLI requests.
-l, --list List users in the secret.
-m, --md5 Force MD5 encryption of the password.
-N, --namespace string If present, the namespace scope for this CLI request
--request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
--server string The address and port of the Kubernetes API server
-s, --sha Force SHA encryption of the password (insecure).
-i, --stdin-password Read password from stdin without verification (for script usage).
--tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
--token string Bearer token for authentication to the API server
--user string The name of the kubeconfig user to use
-v, --verify Verify password for the specified user.
Create a new secret called basic-auth and create a new user called gfleury.
$ kube-htpasswd -c basic-auth gfleury
Create a new user called second_user on a existing secret called basic-auth.
$ kube-htpasswd basic-auth second_user
Create a new user on a existing secret and pass the password as paramater.
$ kube-htpasswd basic-auth third_user third_password
Verify the user third_user password on basic-auth secret.
$ kube-htpasswd -v basic-auth third_user
Delete the user third_user from basic-auth secret.
$ kube-htpasswd -D basic-auth third_user
It by default point to the actual context on ~/.kube and default namespace. To change it use -C and -N.